Configuring Transparent Data Encryption for Ozone

Transparent Data Encryption (TDE) allows data on the disks to be encrypted-at-rest and automatically decrypted during access. For Ozone, you can enable TDE at the bucket-level.

  • The Key Management Server must be installed and running. Ozone uses the same Key Management Server as HDFS.
  • If you are using Ranger Key Management Server, then you must ensure that the key management admin user has assigned the om service user with the Get Metadata and Generate EEK permissions.

    Further, you must ensure that any user attempting to create an encryption key has the required permissions in Ranger.

  • For information about adding or editing permissions on Ranger, see Add or edit permissions.
  1. Create a bucket encryption key.
    hadoop key create enck1

    This command creates an encryption key for the bucket you want to protect. After the key is created, Ozone can use that key when you are reading and writing data into a bucket.

  2. Assign the encryption key to a bucket.
    The following example shows how you can assign the key enck1 to the bucket encbucket1:
    ozone sh bucket create -k enck1 /vol/encbucket1
    After you run this command, all data written to encbucket1 will be encrypted using encKey. During the read process, the client applications interact with the Key Management Server to read the key and decrypt it.

    The encryption of data is completely transparent to users and client applications.